Analysis and opinion by Christopher Soghoian, security and privacy researcher.

Wednesday, March 11, 2009

White House ends "experiment," goes back to YouTube

Sigh. I was all set to write a blog post praising the White House.

A week ago, I wrote about the new "delayed cookie" option that YouTube was offering, and particularly, the company's broken promises with regard to privacy. The short version is that YouTube is serving videos from a new "www.youtube-nocookie.com" domain, while quietly forcing Flash cookies upon users who view any page that had embedded one of those videos.

What I didn't mention in that blog post was that the new White House, YouTube-free Flash-based video tool was doing the same thing. That is, anyone who visited the White House blog would receive a long-term Flash cookie, even if they never clicked play.

I'd been kicking the White House in the knees for much of the last couple months, and so I thought I would give them a break, at least for a couple weeks, while I focused my attention on YouTube/Google. I did, however, drop the White House Web team a friendly email to let them know about this Flash cookie issue.

Fast forward one week, and it seems that the White House has quietly made another change to its site, this time doing away with the Flash-based cookies for its Akamai hosted video player. This is great news.

The White House received a bit of criticism, and, yet again, in response, they changed their policies for the better.

This blog post should have ended there, with praise for the White House, and their rapid positive response to the concerns of the privacy community.

Unfortunately, there is some bad news.

Back to YouTube

The White House first rolled out its own Flash-based video solution for the President's video messages on Feb 28th. Responding to my blog post at CNET on the issue, the White House quickly spun the news as an "experiment" and in no way a shift of policy.

Over the next few days, the White House gave me a bit of reason to be hopeful, as it then posted several more videos to its site, all using its own Flash based tool.

However, at least based on the appearance of a 30 minute video embedded into the White House page today, it looks like the "experiment" is over. YouTube is back.

While this new video uses YouTube's "delayed cookie" option, due to the Flash cookie issue mentioned earlier, visitors to the White House site continue to receive long-term tracking Flash cookies, even if they never click play.

I am honestly rather disappointed in the White House for this move. As long as YouTube continues to force any tracking mechanism, be it a html cookie, flash cookie, or via any other form, the White House simply should not be embedding YouTube videos in its website.

Of course, this return to YouTube comes the very same day that Google has announced that it will start using cookies to track the web-surfing behavior of users across the Internet, which it will then use to serve them targeted advertisements. This raises serious questions -- namely, will tracking data from videos embedded into the White House Web site end up in Google's targeted advertising database?

This comes off as yet another slightly paranoid, barely-tech-savvy self-aggrandizer ranting about things they don't understand.

Hint: there isn't such a thing as an HTML cookie. You might learn the difference between HTML and HTTP before making your paranoia this public; an understanding of the underlying technologies actually IS critical to a rational discussion of the issues therein.

Christopher Soghoian, Ph.D. is a Washington, DC based privacy and security researcher. He is the Principal Technologist in the Speech, Privacy and Technology Project at the American Civil Liberties Union.